Bug 1432083

Summary: tomcat_t domain is in unconfined_domain
Product: Red Hat Enterprise Linux 7 Reporter: omokazuki <ka-omo>
Component: selinux-policyAssignee: Vit Mojzis <vmojzis>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: csutherl, dmoppert, jonderka, lvrabec, mbabacek, mgrepl, mmalik, plautrba, pvrabec, ssekidde, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-145.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 15:22:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description omokazuki 2017-03-14 13:41:25 UTC 
Description of problem:

It seems tomcat_t domain is in unconfined_domain, then any process which is having tomcat_t domain can access to any file. Maybe there is a bug in policy file.
(I checked Fedora25, RHEL7.3).

Version-Release number of selected component (if applicable):

Policy version 28.

[root@localhost ~]# seinfo

Statistics for policy file: /sys/fs/selinux/policy
Policy Version & Type: v.28 (binary, mls)

   Classes:            91    Permissions:       256
   Sensitivities:       1    Categories:       1024
   Types:            4729    Attributes:        251
   Users:               8    Roles:              14
   Booleans:          301    Cond. Expr.:       350
   Allow:          101261    Neverallow:          0
   Auditallow:        157    Dontaudit:        8030
   Type_trans:      17756    Type_change:        74
   Type_member:        35    Role allow:         39
   Role_trans:        416    Range_trans:      5697
   Constraints:       109    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             28
   Genfscon:          105    Portcon:           596
   Netifcon:            0    Nodecon:             0
   Permissives:         6    Polcap:              2

[root@localhost ~]# rpm -qa|grep -i policy
selinux-policy-targeted-3.13.1-102.el7_3.15.noarch
selinux-policy-3.13.1-102.el7_3.15.noarch
policycoreutils-2.5-11.el7_3.x86_64

How reproducible:


Steps to Reproduce:
1. Run "sesearch -ACS -s tomcat_t -t shadow_t -c file -p read"
2. Run "seinfo -ttomcat_t -x"

Actual results:
[root@localhost ~]# sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ; 

[root@localhost ~]# seinfo -ttomcat_t -x
   tomcat_t
      can_change_object_identity
      can_load_kernmodule
      can_load_policy
      can_setbool
      can_setenforce
      corenet_unconfined_type
      corenet_unlabeled_type
      devices_unconfined_type
      domain
      files_unconfined_type
      filesystem_unconfined_type
      kern_unconfined
      kernel_system_state_reader
      process_uncond_exempt
      selinux_unconfined_type
      storage_unconfined_type
      unconfined_domain_type
      dbusd_unconfined
      daemon
      syslog_client_type
      sepgsql_unconfined_type
      tomcat_domain
      userdom_filetrans_type
      x_domain
      xserver_unconfined_type
[root@localhost ~]# 

Expected results:

tomcat_t domain should not have unconfined_domain_type.

Additional info:
I submitted same issue on Fedora bugzilla.
https://bugzilla.redhat.com/show_bug.cgi?id=1432055
Comment 3 Lukas Vrabec 2017-03-23 11:28:58 UTC 
I expect more AVCs here, could you test tomcat in permissive mode? 

Thanks.
Comment 7 omokazuki 2017-03-28 07:19:19 UTC 
(In reply to Lukas Vrabec from comment #3)
> I expect more AVCs here, could you test tomcat in permissive mode? 
> 
> Thanks.

Hi,

I'm not expert of tomcat (I'm just security researcher), so I can't get enough
AVCs for working tomcat properly. Sorry...

So I guess we have 2 ways to fix;

1. Just remove unconfined_domain(tomcat_t) on tomcat.te
or
2. Add below(example) boolean to choose tomcat works on unconfined_domain or not.

I know below policy will not work(I couldn't compile it on fedora 25), 
but I guess we could create this kind of boolean for temporary solution. 
So what do you think?

OMO
------------------------------------------------------------
+#######################################
+#
+# tomcat local policy
+#
+
+## <desc>
+## <p>
+## Allow tomcat to run unconfined scripts
+## </p>
+## </desc>
+gen_tunable(tomcat_run_unconfined, true)
+
+tunable_policy(`tomcat_run_unconfined',`
+    optional_policy(`
+            unconfined_domain(tomcat_t)
+    ')
+')
Comment 21 errata-xmlrpc 2017-08-01 15:22:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861